A hacker group aligned with Pakistan has initiated a new cyber-espionage campaign, targeting various Indian government, academic, and strategic organizations. This operation has been attributed to APT36, also known as Transparent Tribe, a persistent threat actor with a history of spying on Indian government bodies, military-related organizations, and universities.
According to researchers at cybersecurity firm Cyfirma reported, the latest campaign commences with spear-phishing emails. These emails contain a ZIP archive that holds a malicious file disguised as a PDF. When opened, this file deploys two malware components, named ReadOnly and WriteOnly.
The malware is designed to covertly embed itself within victims’ systems, adapting its behavior based on the installed antivirus software. Cyfirma indicates that it can remotely control infected machines, extract data, and conduct continuous surveillance. This includes capturing screenshots, monitoring clipboard activity, and enabling remote desktop access.
Researchers noted that the clipboard monitoring capability could also be exploited to steal or alter copied data, potentially allowing attackers to hijack cryptocurrency transactions.
The analyzed campaign highlights the group’s long-term surveillance goals rather than immediate financial gain or disruptive actions, aligning with state-sponsored intelligence-gathering priorities.
While Transparent Tribe has previously been described by researchers as less technically advanced compared to some other espionage groups, its persistence and ability to evolve tactics over time have been recognized in past assessments.
Cyfirma observed that the recent campaign demonstrates an advancement in APT36’s technical capabilities. These improvements include exploiting trusted Windows components, using common file formats for deception, and employing multi-stage, fileless execution techniques.
APT36 has been active since at least 2013, with links to cyber-espionage operations targeting government and military entities in India and Afghanistan, as well as institutions in approximately 30 other countries.
The group also shares characteristics with Cosmic Leopard, another Pakistan-linked threat actor. Cosmic Leopard was responsible for a multi-year espionage campaign against Indian government agencies and defense and technology companies, which was identified last year.
